PE-13(3): Automatic Fire Suppression

PE-13(3) requires you to protect facilities that host your federal system (or contractor system handling federal data) with automatic fire suppression appropriate to the environment, and to be able to prove it works through inspection, testing, and maintenance records. Operationalize it by scoping covered spaces, validating suppression design and coverage, and running a repeatable evidence cycle tied to a control owner. ¹

Key takeaways:

• Scope the “system facility” precisely (data halls, MDF/IDF, UPS/battery rooms, telecom rooms, on-prem server rooms, and supporting areas) and document inclusions/exclusions.
• Confirm the installed suppression type fits the hazard class and won’t create unacceptable downtime or equipment damage for your mission.
• Evidence wins audits: keep drawings, acceptance tests, inspection/maintenance logs, impairment tracking, and change records.

The pe-13(3): automatic fire suppression requirement is a facilities-heavy control with a compliance-heavy failure mode: teams often have suppression installed, but cannot show it is properly designed for the protected spaces, kept in service, and maintained with disciplined records. For a CCO or GRC lead, the fastest path is to treat PE-13(3) like a packaged “facility safeguard” program: define scope, name the owner, document the system and its coverage, and implement a recurring evidence cadence that matches how your buildings are actually operated.

This control typically sits at the boundary between Security/GRC and Facilities/Operations (and sometimes a colocation provider). That boundary is where audits get stuck: who owns the suppression system, who receives impairment notices, how changes are approved, and how you prove the suppression is still effective after room reconfiguration or new equipment installs.

This page gives requirement-level implementation guidance you can execute quickly: what spaces count, what to request from Facilities or your third party data center, how to structure procedures and records, and what auditors tend to challenge. The goal is simple: suppression that is appropriate, operational, and provable.

Regulatory text

NIST control reference: “NIST SP 800-53 control PE-13.3.” ¹

Operator interpretation (what you must do): Implement automatic fire suppression for system facilities and maintain it as an operational safeguard, with governance and records sufficient to demonstrate it is in place and functioning as intended. The work is not “buy a suppression system once”; it is to keep protection continuously effective through defined ownership, maintenance, impairment handling, and change control. ¹

Plain-English interpretation

Automatic fire suppression means a fixed, automatically actuated system that detects and suppresses fire without waiting for a person to respond. For most organizations, that means sprinkler systems and/or clean-agent suppression in IT-critical spaces. Compliance requires two things:

1. Coverage: protected spaces are actually covered by suppression appropriate to the risk; and
2. Assurance: you can show it stays in service and is maintained, tested, and repaired based on a defined program.

Who it applies to

Entity scope

• Federal information systems hosted in government-operated facilities. ²
• Contractor systems handling federal data where PE controls are in scope contractually (including environments supporting federal workloads). ²

Operational scope (what environments are typically in scope)

• Organization-owned data centers, server rooms, network closets that are designated part of the system boundary.
• Supporting utility rooms that create fire risk to the system (commonly UPS rooms, battery rooms, generator rooms, or adjacent spaces), if included in your system’s authorization boundary.
• Third-party facilities (colocation, managed hosting) where your system is housed. In that case, you still own compliance, but you satisfy it by contracting for, verifying, and retaining evidence of the third party’s suppression controls.

What you actually need to do (step-by-step)

Step 1 — Define the “system facility” scope and boundary

1. List covered spaces by building, floor, and room: data hall(s), server rooms, MDF/IDF, telecom rooms, storage areas for IT spares, UPS/battery rooms, and any dedicated mechanical/electrical spaces included in the system boundary.
2. Map to the system boundary artifacts you already maintain (SSP, network diagrams, asset inventory, or facility diagrams).
3. Document exclusions explicitly (example: “Corporate office areas excluded from the system boundary”), and state the rationale.

Deliverable: a one-page PE-13(3) scope map with room identifiers and ownership (Facilities vs. third party).

Step 2 — Identify suppression type(s) and confirm appropriateness

1. For each in-scope space, record the suppression system type (e.g., pre-action sprinkler, wet pipe sprinkler, clean agent).
2. Record the detection/actuation mechanism at a high level (automatic detection tied to release, cross-zoning if applicable, or sprinkler thermal activation).
3. Confirm the system is appropriate to the environment and mission needs:
   • Will discharge harm critical equipment or cause unacceptable downtime?
   • Are there special hazards (battery chemistry, fuel storage, high air flow) that drive a different design?
4. If a third party operates the building, obtain their attestation packet (see Evidence section) and validate it covers your cages/rooms.

Practical tip: auditors rarely want deep fire engineering math. They want to see you identified the protection method and verified coverage and upkeep for the spaces that matter.

Step 3 — Assign a control owner and define handoffs with Facilities/third parties

1. Name a PE-13(3) control owner (often Facilities Manager, Data Center Ops, or Security Engineering for owned facilities; for colo, a Vendor/Third-Party Risk owner plus a technical verifier).
2. Create a RACI for: inspections, testing, repairs, impairment approvals, after-hours response, and evidence collection.
3. Establish an impairment notification path: who gets notified if suppression is offline, partially offline, or under maintenance; who approves compensating controls; who records the event.

This is where teams get stuck in audits: suppression can be perfect, but nobody can explain who is accountable.

Step 4 — Implement an inspection, testing, and maintenance (ITM) evidence cycle

1. Require scheduled inspections and testing/maintenance performed by qualified internal staff or qualified service providers.
2. Maintain a deficiency log: what was found, severity, corrective action, and closure evidence.
3. Track repairs and parts replacement as change records tied to the relevant room/system.
4. Maintain a simple suppression readiness register per site with the latest inspection date, open issues, and next planned service.

If you use Daydream for control operations, treat PE-13(3) as a recurring evidence workflow: assign the owner, set the collection cadence you can sustain, and store third-party ITM reports and impairment tickets as the standing artifacts. This aligns directly to the recommended best practice of mapping PE-13(3) to a control owner, an implementation procedure, and recurring evidence artifacts. ¹

Step 5 — Add change control triggers that prevent “silent noncompliance”

Add explicit triggers to your facilities and IT change processes. Examples:

• Room reconfiguration (racks added/moved, hot aisle containment changes)
• Ceiling/raised floor work
• Detection/suppression panel changes
• Any period where suppression is impaired

For each trigger, require: impact assessment, approval, and post-change verification evidence.

Required evidence and artifacts to retain

Keep evidence tied to each in-scope facility and suppression system. Auditors look for traceability: “This room is in scope; this is the suppression covering it; here’s the proof it’s maintained.”

Core artifacts (owned facilities or third party)

• Facility scope map / room list (system boundary mapping)
• Suppression system description by space (type, coverage statement, interfaces to detection/alarm)
• As-built drawings or equivalent documentation showing coverage areas (if available)
• Acceptance/commissioning documentation for new installs or major modifications
• Inspection/testing/maintenance reports from providers or internal teams
• Deficiency and corrective action log with closure evidence
• Impairment log (start/end time, reason, approvals, compensating controls, communications)
• Service provider qualifications (contract/SOW, certifications if provided)
• Third-party evidence package for colo/managed facilities (latest ITM reports, SOC reports if available, contractual commitments)

Retention tip: store artifacts in a system your auditors can navigate by site → room → control → period. That structure reduces fieldwork thrash.

Common exam/audit questions and hangups

Expect questions like:

• “Show me the list of facilities/rooms in scope for this system boundary.”
• “What automatic suppression protects the primary compute and network spaces?”
• “Provide the last inspection/test reports and show any findings were remediated.”
• “Was suppression ever impaired? What did you do during the impairment?”
• “If you’re in a colo, how do you know the provider’s suppression controls cover your space and are maintained?”

Common hangup: teams provide a building fire marshal certificate or a generic “sprinklers present” statement but cannot connect it to specific rooms and recent maintenance evidence.

Frequent implementation mistakes and how to avoid them

1. Mistake: treating building code compliance as full PE-13(3) compliance.
   Fix: keep code documents, but also keep ITM logs, impairment tracking, and a scoped room list tied to the system boundary.

2. Mistake: missing third-party accountability in colo or managed hosting.
   Fix: contract for evidence delivery, define who reviews it, and track non-receipt as a compliance issue.

3. Mistake: no impairment process.
   Fix: require maintenance windows to generate an impairment record with start/stop times, approver, and compensating controls (fire watch, restricted work, temporary monitoring), consistent with how your Facilities team operates.

4. Mistake: changes to the room invalidate assumptions.
   Fix: add change triggers so containment changes, rack layout changes, or construction work prompts a suppression coverage review.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement. In practice, the risk is operational and mission-impacting: fire suppression failures can create loss of availability, loss of equipment, safety hazards, and prolonged recovery times. For federal or federal-adjacent workloads, the compliance risk often shows up as assessment findings tied to missing evidence, unclear boundary scope, or reliance on third parties without verification. ²

Practical 30/60/90-day execution plan

First 30 days (stabilize scope and ownership)

• Confirm in-scope facilities and rooms; publish the PE-13(3) scope map.
• Assign the control owner and define RACI for Facilities, Security, and third parties.
• Collect what already exists: last ITM report(s), drawings/coverage documents, and any known impairment records.
• Open gaps as tracked issues: missing reports, unclear coverage areas, or rooms without documented suppression.

By 60 days (close obvious evidence gaps; operationalize repeatability)

• Establish the repeatable evidence workflow (collection, review, storage, exception handling).
• Implement deficiency tracking with remediation owners and due dates.
• For third-party sites, amend contracts/SOWs if needed to require timely ITM evidence delivery and impairment notification.
• Add change control triggers and update runbooks so Facilities/IT know when PE-13(3) must be revalidated.

By 90 days (prove operation over time; be assessment-ready)

• Demonstrate at least one full evidence cycle: inspection/testing, findings, remediation, closure.
• Run an internal “tabletop” audit: pick one room and trace from boundary → suppression type → ITM evidence → deficiencies → closure.
• Confirm metrics you can report without inventing precision: open deficiencies count, evidence currency status, and impairment events logged (qualitative trending is fine).
• If using Daydream, set PE-13(3) as a recurring control with assigned ownership and required artifacts so audits pull from a consistent evidence library. ¹

Frequently Asked Questions

Does PE-13(3) require clean-agent suppression in server rooms?

The control requires automatic fire suppression, but the specific technology choice depends on your environment and risk tolerance. Document what you have, why it is appropriate for the protected space, and how you maintain it. ¹

If we’re in a colocation data center, can we inherit this control?

You can rely on the third party’s suppression system, but you still need governance and evidence. Contract for inspection/testing records and impairment notifications, then retain those artifacts as your proof. ¹

What’s the minimum evidence auditors expect?

A scoped room list, suppression coverage description, and recent inspection/testing/maintenance documentation with a remediation trail for any findings. If suppression is ever impaired, auditors expect an impairment record and compensating controls documentation. ¹

How do we handle suppression impairments during planned maintenance?

Require an impairment approval, record the timeframe and affected areas, document compensating controls, and capture the restoration confirmation. Treat each impairment as a trackable event with closure evidence.

Our facility has sprinklers, but we don’t have as-built drawings. Is that a failure?

Not automatically, but you need another credible way to show coverage for in-scope rooms (provider documentation, facility reports, or commissioning/inspection materials). Document the gap and a plan to obtain or recreate coverage documentation.

Who should own PE-13(3), Security or Facilities?

Facilities typically operates suppression systems; Security/GRC should own the compliance mapping, evidence requirements, and assessment readiness. Make the handoff explicit in a RACI so audit questions have a clean answer.

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5